Author Topic: ZeroAccess... thought this was gone  (Read 3262 times)

0 Members and 1 Guest are viewing this topic.

donkrx

  • Guest
ZeroAccess... thought this was gone
« on: March 16, 2013, 02:40:32 AM »
OK so thankfully I kept on reading about malware etc and came across a video on youtube talking about ZeroAccess. I checked into some of the things he was pointing out as symptoms and sure enough I have them, but I have not seen anything in Sysinternals proc explorer or in my network activity.

I had ZeroAccess on my system maybe a week ago when I opened a "crack" (I'm a dumbass honestly, I should know better) and since AVG could not handle it I went to the forums and found someone suggesting to use RogueKiller and HitmanPro. I used those in conjunction and they both seemed to deal with the threat, I was able to "replace" the infect svchost.exe and basically every single symptom that I noticed was gone at the time. I ran scans with malwarebytes, Avast, hitmanpro, as well as an Avast boot scan which all came back clean. Since then I've been doing everything sandboxed. I also looked into things with Sysinternals Process Explorer and found absolutely nothing suspicious.

What I did just recently was I ran TDSS Killer, had to do it a couple times with different options and I got different results... but it found things. So I followed along to remove or quarantine and then rebooted. After reboot, Sysinternals proc explorer does not work (got it to work in Sandboxie tho) and a lot of very suspicious things started happening. Something changed slightly with the TDSSKiller scan and I can tell it's being faked (specifically it appears to skip over the drivers in %windir%/system32/drivers).

Surprisingly Autoruns works just fine without any virualization trickery, and looking in there I see many suspicious items. I'm going to try to disable just the ones that I am very confident wont break my computer and see what happens. Other than that please advise.

Thank you guys .... :(
« Last Edit: March 16, 2013, 02:43:32 AM by donkrx »

donkrx

  • Guest
Re: ZeroAccess... thought this was gone
« Reply #1 on: March 16, 2013, 03:00:31 AM »
Also, there are a bunch of suspicious files/drivers/dlls I've identified but I am locked out of scanning them on virustotal.com (I can reach the site but the ones I want to scan dont show up when I try to navigate to them). One of them for example is "gatherNetworkInfo.vbs". Does not sound friendly lol.

This thing seems to have dropped/downloaded an ass ton of shit today, I dont think a lot of this was here before.

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: ZeroAccess... thought this was gone
« Reply #2 on: March 16, 2013, 08:45:48 AM »
hey i would suggest you follow this guide and let a malware expert have a second look at your system sens zero access is a nasty infection.

http://forum.avast.com/index.php?topic=53253.0
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

donkrx

  • Guest
Re: ZeroAccess... thought this was gone
« Reply #3 on: March 16, 2013, 09:19:56 AM »
OK. Thanks, i had to cut the internet out because i found it taking screenshots of my web searches , so im on my phone for now ... Since it was sandboxed it was easy for me to find them.

I managed to succeed with a few things, I used autoruns to stop some things from executing which enabled me to then delete malware dlls. I found what might be an important executable, and deleted user accounts that werent supposed to be there. I still have files in the recycle bin if needed and Ive stayed away from direct registry editing... Probably gonna make a restore point again now.

A question I have is this - if i delete all the stuff making the malware run and initialize, how would i repair the system processes like explorer.exe that have been injected with malicious code? Does the injection go away if the files are removed or does it have to be repaired by something like combofix?
« Last Edit: March 16, 2013, 09:37:34 AM by donkrx »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37337
  • Not a avast user
Re: ZeroAccess... thought this was gone
« Reply #4 on: March 16, 2013, 09:53:07 AM »
if you follow the guide given to you above, then one of the removal experts will do it for you

attach logs from AdwCleaner / Malwarebytes / OTL / aswMBR

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: ZeroAccess... thought this was gone
« Reply #5 on: March 16, 2013, 04:46:22 PM »
Do not delete anything from TDSSKiller that are marked as suspicious, you could break the system

donkrx

  • Guest
Re: ZeroAccess... thought this was gone
« Reply #6 on: March 20, 2013, 09:38:05 PM »
Sorry, I meant to come back and reply to this but I just had a lot to think about this week. At any rate, I decided to reformat.

I ended up doing what I could with Sysinternals tools to clean my PC then I moved my media (500gb worth). I mostly just wanted to see what I could find/learn/do manually ... yes I knew I could break the system but sometimes you cant learn without breaking, lol (though I didnt mean to delete that once). Also, I found out that the screenshots were actually "legitimate" and from Firefox (sketchy if you ask me).

After I ran TDSS killer the first time and rebooted & obviously got reinfected at logon, I stopped getting any sort of help or detections from anti-malware software. So many things were completely confusing and contradictory that I really can't give any sort of conclusion about this thing other than it gave me a gigantic F'ing headache lol... but I guess I brought that upon myself this time because I wanted to take a shot at it.

I actually wish I remembered where I got this specific piece of malware so I could go and put it on a virtual machine lol. Anyway, sorry to waste your time.

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: ZeroAccess... thought this was gone
« Reply #7 on: March 20, 2013, 09:45:22 PM »
Time is never wasted, I am here if required